Add Cross-Origin-Opener-Policy and Cross-Origin-Resource-Policy headers

[lwwmanning]

Surfaced during the supply-chain hardening audit in #68.

Location: next.config.mjs:52 (the headers() block)

Issue: The current response headers don't set Cross-Origin-Opener-Policy or Cross-Origin-Resource-Policy. Both add browser-level process isolation that limits what a malicious cross-origin context can do to or learn about this site.

Proposed fix:

1. Add Cross-Origin-Opener-Policy: same-origin to the headers block. Prevents window.opener references from cross-origin contexts.
2. Add Cross-Origin-Resource-Policy: same-site to prevent cross-site embedding of our resources (other than fonts/images we want shared).
3. Consider Cross-Origin-Embedder-Policy: require-corp only if we need cross-origin isolation for SharedArrayBuffer / high-resolution timers — we don't currently, so skip.

Caveat to test: the Vercel Live toolbar (vercel.live, allowed in our CSP) may embed vortex.dev in a cross-origin iframe on preview deploys. If COOP: same-origin breaks that, two paths:

• Scope COOP to non-preview deploys only, gated on the same env signal next.config.mjs already uses to decide on vercel.live.
• Use same-origin-allow-popups which is more permissive.

Estimate: low. ~10 lines of config + verifying preview-deploy toolbar still works.